The missing dotnet_coreproxy.config file can be found in the default install of CF. which would typically be C:\JRun4\servers\cfusion\cfusion.ear\cfusion.war\WEB-INF\cfusion\lib\dotnet_coreproxy.config

Just locate the file and copy it over to the new location. This should resolve the issue.

A web application authenticates a user without first invalidating the existing session ID, thereby continuing to use the session ID already associated with the user.

An attacker is able to force a known session ID on a user so that, once the user authenticates, the attacker has access to the authenticated session.

To resolve this in ColdFusion, you could take the foll. steps:

index.cfm posts login credentials to checkLogin.cfm. I expire the exisitng jsessionid cookie on this page. And then make a cfhttp call to verify.cfm; I also pass the login crediantials to verify.cfm. Verify.cfm authenticates the user and sets session variables for the user. Once checkLogin.cfm gets the return back;
I parse out the jsessionid from the cookie header and set a new jsessionid cookie on checkLogin.cfm page.